NTFS Security for ASP pages on a Web Server ???!!

[Jonine]

Can anyone recommend a simple security implementation for a series of ASP pages (about 20 pages) which are to be placed on a web server?<br>
We want to restrict access to these pages to authorised users. The live, public web pages are also on the same web server, so the machine has to be accessible to the world wide web.<br>
It has been suggested that we could simply implement NTFS file permissions on the ASP pages.<br>
However, will our web server know which user is trying to access the ASP pages over the web <br>
... has anyone implemented NTFS security for ASP pages, and does it work?!<br>
Thanks for your input!

 

[seyed]

If you want to restrict access to parts of the same website there are several ways to do it depending on some factors:<br>
<br>
1. NT Challenge / Response:<br>
If potential viewers will use NT machines only, implement standard NTFS security on the directory (or even specific files), go to the security tab on Directory properties in MMC and only have the NT Challenge / Response box ticked. This will only allow those with NT accounts / machines to log in.<br>
<br>
2. Restrict by IP<br>
If potential viewers will use static IP address or a limited subnet then this is by far the most secure method as long as you KNOW that only authorised people will be able to use those machines / IP addresses.<br>
<br>
3. Plain passwords<br>
Within the security tab of the directory properties you can also allow Win95 / other OS users who have NT domain accounts to view the pages / directory by checking the plain (or clear) passwords box. This is less secure and not recommended for sensitive material as it is relative easily broken.<br>
<br>
Finally, if you have access to a database why not create a log in script with a database backend or if pushed for time just use a standard username / password. Then on every page you could check a Session variable to make sure they've logged in or otherwise send them to the login script.<br>
<br>

 

[bookouri]

I found that if I simply used ntfs permissions, and remove the default web user permissions on the asp page I want secured, I am prompted for a valid NT logon before the page will execute. The only problem I have run into so far is that the pages work fine from the internet, but from our intranet i get an access denied message. According to the documentation, NT security wont work over a proxy and we use a proxy, but even after telling explorer to bypass the proxy I still cant make it work intranet. The internet logon works fine though.

 

[imstillatwork]

does your web server have an internal and external IP? one on the intranet network and one on the internet? if so, try adding a dns record (or edit hosts file if you dont have a dns server) that points to the internal (local network) IP.

 

[programsecrets]

Just be careful because if login and password information is sent unencrypted over the internet, you may eventually have a &quot;sniffer&quot; who then becomes an unwelcome visitor.

For a couple of good articles on the different types of security access, see these articles from Microsoft Interactive Developer (now MSDN magazine):

http://www.microsoft.com/mind/defau...htm&nav=/mind/1196/inthisissuecolumns1196.htm

http://www.microsoft.com/mind/defau...htm&nav=/mind/1099/inthisissuecolumns1099.htm